Hacker Exposes Hotel Electronic Lock Vulnerability

In late July, public confidence in hotel security took a major blow. Cody Brocious, 24, demonstrated at a July 21-26 hacking conference in Las Vegas that almost ten million electronic locks used at hotels around the world are vulnerable to hacking, allowing quick and illicit entry into a hotel room. This number is about 50 percent of hotel locks, according to Brocious, whose interest in computing is said to have begun at the age of four. The initial reaction from Onity, the hacked locks' manufacturer, was low key and reassuring.

Onity understands the hacking methods to be unreliable, and complex to implement. (July 25, 2012)

However, since then some hotel thefts in Texas are thought to have been made possible by Cody's revelation and detailed explanation of the hotel lock's vulnerability, which he had posted online. Other hackers had joined in, adding hacking improvements and publishing their work online, including in videos, with major news organizations picking up the story.

“As of November 30, 2012, Onity has shipped 1.4 million solutions for locks to hotel properties. Over the next several weeks, we will ensure all hotel properties in our database receive the mechanical solution. These mechanical caps and security screws block physical access to the lock ports that hackers use to illegally break into hotel rooms. The mechanical solution remains free of charge to customers.”

The vulnerability itself, in a vacuum, is quite severe. Any Onity HT lock can be opened in less than a second with a piece of hardware costing effectively nothing. The hardware can be built by someone with no special skills for only a few dollars and utilized with no real 'training'.

Further, he wrote,

Since the locks are not flashable, the only real way to fix them is to either prevent access to the jack (a non-solution) or replace the circuit boards in the locks. Either way, you're talking tens of millions of dollars to fix all the locks. Neither the individual hotels — primarily independently owned with very low margins — nor Onity can afford this.

A widely distributed photo shows Brocious hacking a hotel lock while wearing a T-shirt with the words, "It's fun to use learning for evil!". But Cody writes in his blog that he wrestled with his conscience about going public with the hacking vulnerability and concluded that it was the right thing to do. It would protect hotel guests, which was more important than protecting the vendor, Onity. He sounds persuasive. But what about that T-shirt? It sends a message opposite to that which he claims.

According to Forbes, Onity appears to be coming around to shelling out more cash to fix its locks, at least for IHG and Marriott. Pre-2005 locks and those outside the U.S. are subject to a less satisfactory plan.